/etc/rc.d/jail: losing IPs if jail_x_interface set and syntax error in jails /etc/rc?

Florent Thoumie flz at xbsd.org
Wed Dec 27 12:40:09 PST 2006 

Philipp Wuensche wrote:
> Raphael H. Becker wrote:
>> Hi *,
>>
>> I recently triggered an error when setting up a jail-host: I configured
>> the jail(s) like evry jail I set up in the past:
> 
> Yes, this is a bug in rc.d/jail and was introduced in this change:
> http://www.freebsd.org/cgi/cvsweb.cgi/src/etc/rc.d/jail.diff?r1=1.31&r2=1.32.
> 
> When a jail fails to start, in your case a broken rc.conf in the jail,
> the jail is stopped and the ipaddr-alias is unconfigured from the
> interface with the following command: ifconfig ${jail_interface} -alias
> ${jail_ip}
> 
> Unfortunately in the change above the variables were renamed to
> _interface and _ip, this leads to ifconfig getting executed without a
> specified ipaddr. and therefore the first alias is unconfigured, which
> is in most cases the ipaddr. you are having access to the remote host.
> 
> ${jail_interface} is only the correct interface out of luck, so it
> should be changed to _interface too.
> 
> I think the correct way would be to call jail_stop() instead of doing
> the cleanup by hand but in the current implementation this would leave
> the ipaddr-alias configured on the interface.
> 
> I think I already mentioned once that I don't like this interface and
> ipaddr. configuration feature in rc.d/jail at all.
> 
> Anyway, the quick fix is trivial and should be included in 6.2.
> Otherwise we have a possible DoS security problem with the new release.
> 
> --- rc.d/jail.old       Fri Dec 22 03:09:27 2006
> +++ rc.d/jail   Fri Dec 22 03:10:07 2006
> @@ -228,8 +228,8 @@
>                                 echo ${_jail_id} > /var/run/jail_${_jail}.id
>                         else
>                                 jail_umount_fs
> -                               if [ -n "${jail_interface}" ]; then
> -                                       ifconfig ${jail_interface}
> -alias ${jail_ip}
> +                               if [ -n "${_interface}" ]; then
> +                                       ifconfig ${_interface} -alias ${_ip}
>                                 fi
>                                 echo " cannot start jail \"${_jail}\": "
>                                 tail +2 ${_tmp_jail}

Patch looks good. Would be indeed nice to have this fixed before 6.2R is
released.


-- 
Florent Thoumie
flz at FreeBSD.org
FreeBSD Committer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-rc/attachments/20061227/ba6d89bd/signature.pgp

More information about the freebsd-rc mailing list